Healthcare providers can face challenges with marketing, especially when many popular services are not compliant with HIPAA. Providers should ensure their marketing, analytics, or advertising vendors sign a BAA, don’t store data, and de-identify information when necessary.
One of the factors contributing to the rise in HIPAA breaches is the HHS bulletin, which provides stricter guidance on the use of third-party cookies, pixels, and other tracking technologies by healthcare companies. The bulletin expands the definition of protected health information (PHI), indicating that even using tracking technologies on websites and mobile apps accessible without user login could put healthcare companies at risk of privacy violations.
Big tech companies, such as Facebook and Google, have created leading marketing technologies and made them freely available to businesses. However, these companies also gain access to the data of organizations using their products. A recent study by The Markup found that 33 of the top 100 US hospitals used Facebook pixels on their websites, and seven of them used tracking codes on patients' portals behind the login walls, potentially exposing sensitive patient information.
The issue of HIPAA compliance in the healthcare industry extends beyond marketing technologies. Last year, numerous healthcare organizations, including telehealth provider Cerebral, submitted breach reports, acknowledging they violated the guidance from HHS, having disclosed personally identifiable information (PII) to other parties without sufficient HIPAA-protective measures.
Under the HIPAA privacy rule, sharing PHI for marketing and analytics is not a permitted disclosure. Healthcare providers must either sign a business associate agreement (BAA) with their vendors, establish a legally binding relationship to share PHI, or apply one of the valid de-identification methods to remove all identifiers from the PHI.
Due to HIPAA's strict regulations, healthcare providers must evaluate the compliance of every tool in their marketing stack. The leading analytics vendors, such as Google and Adobe, pose numerous risks and complications for healthcare providers. Google prohibits healthcare providers from keeping PHI in Google Analytics and won't sign a BAA, making it a non-compliant choice. Adobe has a list of HIPAA-ready services, but only certain products are compliant.
Healthcare organizations can look to other analytics vendors that apply HIPAA compliant measures, won't share data with third parties, and offer hosting on compliant infrastructure. Companies can also combine a data collection system, data warehouse, and data visualization tool, but this approach requires verifying the HIPAA compliance of each vendor.
Facebook tracking pixels on patient portals is not the only marketing activity that may violate patients' privacy. Advertising platforms like Facebook, Google, and LinkedIn Ads won't sign a BAA, meaning healthcare organizations must avoid including PHI in their campaigns. The most futureproof marketing solution for HIPAA-covered entities is establishing a first-party data ecosystem, where compliant marketing activities that use PHI include onsite retargeting, personalization, email campaigns, and ad campaign optimization.
In advertising, healthcare organizations must remove any traces of PHI before sending them to ad networks and remove marketing pixels from password-protected apps and websites, such as patient portals. Another option involves capitalizing on advertising without retargeting and PHI, like contextual targeting and simple ads based on keywords.
The need for high standards of HIPAA compliance applies to all platforms that interact with patients' PHI, including analytics, marketing tools, and advertising ecosystems. Healthcare providers must invest in compliant vendors and establish a compliance strategy to unlock the full potential of data-driven marketing, analytics, and advertising while safeguarding patient privacy.
Paubox assists with HIPAA compliant email marketing by offering a secure platform designed specifically for healthcare providers. Paubox Marketing enables the creation of personalized and segmented email campaigns with features like secure storage of ePHI, customizable email templates, and advanced analytics to monitor campaign performance. By using Paubox Marketing, healthcare organizations can enhance patient engagement, improve communication, and achieve higher open and click-through rates with tailored messages, all within a secure and compliant environment.
Read more: HIPAA compliant email marketing: What you need to know
PHI includes any information that can identify an individual and is related to their past, present, or future physical or mental health condition, healthcare services provided, or payment for healthcare services. It includes names, addresses, birthdates, Social Security numbers, medical records, and any other unique identifiers.
Penalties can include fines ranging from $100 to $50,000 per violation, with a maximum annual penalty of $1.5 million. Severe violations can also lead to criminal charges and reputational damage.
Yes, marketing emails should avoid including any sensitive PHI unless necessary and permitted by the patient. The focus should be on providing general health information, updates, and promotions that do not compromise patient privacy.
Learn more: HIPAA Compliant Email: The Definitive Guide